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Abstract. Deciding equivalence of probabilistic automata is a key prob- 
lem for establishing various behavioural and anonymity properties of 
probabilistic systems. In recent experiments a randomised equivalence 
test based on polynomial identity testing outperformed deterministic al- 
gorithms. In this paper we show that polynomial identity testing yields 
efficient algorithms for various generalisations of the equivalence prob- 
lem. First, we provide a randomized NC procedure that also outputs a 
counterexample trace in case of inequivalence. Second, we consider equiv- 
alence of probabilistic cost automata. In these automata transitions are 
labelled with integer costs and each word is associated with a distribu- 
tion on costs, corresponding to the cumulative costs of the accepting 
runs on that word. Two automata are equivalent if they induce the same 
cost distributions on each input word. We show that equivalence can be 
checked in randomised polynomial time. Finally we show that the equiv- 
alence problem for probabilistic visibly pushdown automata is logspace 
equivalent to the problem of whether a polynomial represented by an 
arithmetic circuit is identically zero. 



1 Introduction 

Probabilistic automata were introduced by Michael Rabin [20] as an extension of 
deterministic finite automata. Nowadays probabilistic automata, together with 
associated notions of refinement and equivalence, are widely used in automated 
verification and learning. Two probabilistic automata are said to be equivalent 
if each word is accepted with the same probability by both automata. Check- 
ing two probabilistic automata for equivalence has been shown to becrucial for 
efficiently establishing various behavioural and anonymity properties of proba- 
bilistic systems, and is the key algorithmic problem underlying the apex tool 
[18,16,12]. 

It was shown by Tzeng [27] that equivalence for probabilistic automata is 
decidable in polynomial time. By contrast, the natural analog of language inclu- 
sion, that one automaton accepts each word with probability at least as great as 
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another automaton, is undecidable [6] even for automata of fixed dimension [4] . 
It has been pointed out in [8] that the equivalence problem for probabilistic 
automata can also be solved by reducing it to the minimisation problem for 
weighted automata and applying an algorithm of Schiitzenberger [23] . 

In [12] we suggested a new randomised algorithm which is based on polyno- 
mial identity testing. In our experiments [12] the randomised algorithm compared 
well with the Schiitzenberger- Tzeng procedure on a collection of benchmarks. In 
this paper we further explore the connection between polynomial identity testing 
and the equivalence problem of probabilistic automata. We show that polyno- 
mial identity testing yields efficient algorithms for various generalisations of the 
equivalence problem. 

In Section 3 we give a new randomised NC algorithm for deciding equiva- 
lence of probabilistic automata. Recall that NC is the subclass of P containing 
those problems that can be solved in polylogarithmic parallel time [11] (see 
also Section 2). Tzeng [28] considers the path equivalence problem for nonde- 
terministic automata which asks, given nondeterministic automata A and B, 
whether each word has the same number of accepting paths in A as in B. He 
gives a deterministic NC algorithm for deciding path equivalence which can be 
straightforwardly adapted to yield an NC algorithm for equivalence of prob- 
abilistic automata. Our new randomised algorithm has the same parallel time 
complexity as Tzeng's algorithm, but it also outputs a word on which the au- 
tomata differ in case of inequivalence, which Tzeng's algorithm cannot. Our 
algorithm is based on the Isolating Lemma, which was used in [17] to compute 
perfect matchings in randomised NC. The randomised algorithm in [12], which 
relies on the Schwartz-Zippel lemma, can also output a counterexample, exploit- 
ing the self-reducibility of the equivalence problem — however it does not seem 
possible to use this algorithm to compute counterexamples in NC. Whether 
there is a deterministic NC algorithm that outputs counterexamples in case of 
inequivalence remains open. 

In Section 4 we consider equivalence of probabilistic automata with one or 
more cost structures. Costs (or rewards, which can be considered as negative 
costs) are omnipresent in probabilistic modelling for capturing quantitative ef- 
fects of probabilistic computations, such as consumption of time, (de-)allocation 
of memory, energy usage, financial gains, etc. We model each cost structure as 
an integer-valued counter, and annotate the transitions with counter changes. 

In nondeterministic cost automata [2, 14] the cost of a word is the minimum 

of the costs of all accepting runs on that word. In probabilistic cost automata 
we instead associate a probability distribution over costs with each input word, 
representing the probability that a run over that word has a given cost. Whereas 
equivalence for nondeterministic cost automata is undecidable [2,14], we show 
that equivalence of probabilistic cost automata is decidable in randomised poly- 
nomial time (and in deterministic polynomial time if the number of counters is 
fixed). Our proof of decidability, and the complexity bounds we obtain, involves 
a combination of classical techniques of [23, 27] with basic ideas from polynomial 
identity testing. 



We present a case study in which costs are used to model the computation 
time required by an RSA encryption algorithm, and show that the vulnerability 
of the algorithm to timing attacks depends on the (in-)equivalence of probabilis- 
tic cost automata. In [13] two possible defenses against such timing leaks were 
suggested. We also analyse their effectiveness. 

In Section 5 we consider pushdown automata. Probabilistic pushdown au- 
tomata are a natural model of recursive probabilistic procedures, stochastic 
grammars and branching processes [10,15]. The equivalence problem of deter- 
ministic pushdown automata has been extensively studied [25,26]. We study 
the equivalence problem for probabilistic visibly pushdown automata (VPA ) [3] . 
In a visibly pushdown automaton, whether the stack is popped or pushed is 
determined by the input symbol being read. 

We show that the equivalence problem for probabilistic VPA is logspace 
equivalent to Arithmetic Circuit Identity Testing (ACIT), which is the problem 
of determining equivalence of polynomials presented via arithmetic circuits [1] . 
Several polynomial-time randomized algorithms are known for ACIT, but it is 
a major open problem whether it can be solved in polynomial time by a deter- 
ministic algorithm. The inter-reducibility of probabilistic VPA equivalence and 
ACIT is reminiscent of the reduction of the positivity problem for arithmetic 
circuits to the reachability problem for recursive Markov chains [10]. However 
in this case the reduction is only in one direction — from circuits to recursive 
Markov chains. 

In the technical development below it is convenient to consider Q-weighted 
automata, which generalise probabilistic automata. All our results and examples 
are stated in terms of Q-weighted automata. Some proofs have been moved to 
an appendix. 

2 Preliminaries 

2.1 Complexity Classes 

Recall that NC is the subclass of P comprising those problems considered ef- 
ficiently parallelisable. NC can be defined via parallel random-access m,achines 
(PRAMs), which consist of a set of processors communicating through a shared 
memory. A problem is in NC if it can be solved in time (logn)*^'^^ (polyloga- 
rithmic time) on a PRAM with n'-"^^^ (polynomially many) processors. A more 
abstract definition of NC is as the class of languages which have L-uniform 
Boolean circuits of polylogarithmic depth and polynomial size. More specifically, 
denote by NC*^ the class of languages which have circuits of depth O(log'^n). 
The complexity class RNC consists of those languages with randomized NC al- 
gorithms. We have the following inclusions none of which is known to be strict: 

NC^ C L C NL C NC^ C NC C RNC C P . 

Problems in NC include directed reachability, computing the rank and de- 
terminant of an integer matrix, solving linear systems of equations and the tree- 



isomorphism problem. Problems that are P-hard under logspace reductions in- 
clude circuit value and max-flow. Such problems arc not in NC unless P = NC. 
Problems in RNC include matching in graphs and max flow in 0/1-valued net- 
works. In both cases these problems have resisted classification as either in NC 
or P-hard. See [11] for more details about NC and RNC. 

2.2 Sequence Spaces 

In this section we recall some results about spaces of sequences [22]. 
Given s > 0, define the following space oi formal power series: 

:= {/ : Z« R : E„ez» < ^} • 

Then ^i(Z®) is a complete vector space under the norm ||/|| = X)t,ez= 

can moreover endow £i(Z'^) with a Banach algebra structure with multiplication 

(/*fi')W:= XI 

Given n > we also consider the space £i(Z*)"^" of n x n matrices with 
coefficients in £i(Z*). This is a complete normed linear space with respect to the 
infinity matrix norm 

||M||:= m^ ||Mi,,H. 

\<j<n 

If we define matrix multiplication in the standard way, using the algebra struc- 
ture on ^i(Z*), then \ \MN\\ < ||M||||iV||. In particular, if ||M|| < 1 then we can 
define a Kleene-star operation by M* := (7 - M)-i = J^kLo 

3 Weighted Automata 

To permit effective representation of automata we assume that all transition 
probabilities are rational numbers. In our technical development it is convenient 
to work with Q-weighted automata [23], which are a generalisation of Rabin's 
probabilistic automata. 

A Q-weighted automaton A = (n, S, M, a, rj) consists of a positive integer 
n € N representing the number of states, a finite alphabet S, a map M : i7 — > 
Qnxn assigning a transition matrix to each alphabet symbol, an initial (row) 
vector a G Q", and a final (column) vector 77 € Q". We extend M to S* as the 
matrix product M{(j\ . . .(Jk) := M(<ti) ■ . . . ■ M(crfc). The automaton A assigns 
each word w a weight A{w) G Q, where A{w) := a.M{w)ri. An automaton A is 
said to be zero if A{w) = for all w & S* . Two automata B,C over the same 
alphabet S are said to be equivalent if B{w) = C{w) for all w G S*. In the 
remainder of this section wc present a randomised NC^ algorithm for deciding 
equivalence of Q-weighted automata and, in case of inequivalence, outputting a 
counterexample. 



Given two automata B, C that are to be checked for equivalence, one can com- 
pute an automaton A with A{w) = B{w) — C(w) for all w ^ U* . Then A is zero 
if and only if B and C are equivalent. Given B = {n'-'^\S, M^^^ a(^\ ry^^^) and 
C = {n^^\E, M(^), a(^), 77('^)), set A = (n, E, M, a, 77) with n := n^^) +n(<^) and 

This reduction allows us to focus on zeroness, i.e., the problem of determin- 
ing whether a given Q-weighted automaton A = (n, M, at, rj) is zero. (Since 
transition weights can be negative, zeroness is not the same as emptiness of the 
underlying unweighted automaton.) Note that a witness word w € E* against 
zeroness of A is also a witness against the equivalence of B and C. The following 
result from [27] is crucial. 

Proposition 1. If A is not equal to the zero automaton then there exists a word 
u £ E* of length at most n — 1 such that A{u) ^ 0. 

Our randomised NC^ procedure \iscs the Isolating Lemma of Mulmuley, 
Vazirani and Vazirani [17]. We use this lemma in a very similar way to [17], who 
are concerned with computing maximum matchings in graphs in RNC. 

Lemma 2. Let be a family of subsets of a set {xi, . . . ,xn}- Suppose that 
each element Xi is assigned a weight Wi chosen independently and uniformly at 

random from {1, . . . , 2A''}. Define the weight of S £ T to be es ''-^'i- Then the 
probability that there is a unique minimum, weight set in J- is at least 1/2. 

We will apply the Isolating Lemma in conjunction with Proposition 1 to 
decide zeroness of a weighted automaton A. Suppose A has n states and alphabet 
E. Given a £ E and 1 < i < n, choose a weight Wi_a- independently and uniformly 
at random from the set {1, . . . , 2|Z'|n}. Define the weight of a word u = a\ . . .Uk, 
k < n, to be wt(M) := ^i.^i- (The reader should not confuse this with the 
weight A{u) assigned to u by the automaton A.) Then we obtain a univariate 
polynomial P from automaton A as follows: 

n 

fe=o ues'' 

If A is equivalent to the zero automaton then clearly P = 0. On the other 
hand, if A is non-zero, then by Proposition 1 the set T = {u £ E-" : A{u) ^ 
0} is non-empty. Thus there is a unique minimum-weight word u £ T with 
probability at least 1/2 by the Isolating Lemma. In this case P contains the 
monomial a;'^*^"-' with coefficient A{u) as its smallest-degree monomial. Thus 
P ^ with probability at least 1/2. 

It remains to observe that from the formula 

P(x)=a(f^n^M(a)a;»-|T, 



and the fact that iterated products of matrices of univariate polynomials can be 
computed in NC^ [7] we obtain an RNC algorithm for determining zeroness of 

weighted automata. 

It is straightforward to extend the above algorithm to obtain an RNC pro- 
cedure that not only decides zeroness of A but also outputs a word u such that 
A{u) 7^ in case A is non-zero. Assume that A is non-zero and that the random 
choice of weights has isolated a unique minimum- weight word u ~ ai . . . ak such 
that A{u) ^ 0. To determine whether cr G is the i-th letter of u we can increase 
the weight Wi,a by 1 while leaving all other weights unchanged and recompute 
the polynomial P{x). Then a is the i-th letter in u if and only if the minimum- 
degree monomial in P changes. All of these tests can be done independently, 
yielding an RNC procedure. 

Theorem 3. Given two weighted automata A and B, there is an RNC proce- 
dure that determines whether or not A and B are equivalent and that outputs a 
word w with A{w) ^ B(w) in case A and B are inequivalent. 

4 Weighted Cost Automata 

In this section we consider weighted automata with costs. Each transition has 

a cost, and the cumulative cost of a run is recorded in a tuple of counters. 
Transitions can also have negative costs, which can be considered as rewards. 
Note though that the counters do not affect the control flow of the automata. In 
Example 9 we use costs to record the passage of time in an encryption protocol. 
We explicitly include e-transitions in our automata because they are convenient 
for applications (cf. Example 8) and we cannot rely on existing e-elimination 
results in the presence of costs. 

Let U he a. finite alphabet not containing the symbol e. A Q-weighted cost 
automaton is a tuple A = (n, s, S, M, a, rj), where n G N is the number of states; 
s G N is the number of coimtcrs; M : S U {e} —> {C ^ Q)"^" is the transition 
function, where C = {—1,0, 1}* is the set of elementary cost vectors; a G Q" 
is an initial (row) vector; rj G Q" is a final (column) vector. In this definition, 
M{(T)i,j{v) represents the weight of a cr-transition from state i to j with cost 
vector V & C. For the semantics to be well-defined we assume that the total 
weight of all outgoing £-labelled transitions from any given state is strictly less 
than 1. 

In order to define the semantics of weighted cost automata it is convenient 
to use results on matrices of formal power series from Section 2. We can regard 
M(cr) as an ri X n matrix whose entries are elements of the space £i (Z'') of formal 
power series, where M{a)ij{v) = ioi v £ Z'^ \ C. Our convention on the total 
weight of e-transitions is equivalent to the requirement that ||M(e)|| < 1. We 
next extend M to a map M : S* ^ (^i(Z''))"^" such that, given a word w G E* 
and states i,j, M{w)ij{v) is the total weight of all w-labelled paths from state 
i to state j with accumulated cost v gZ^. Given a word w = aia2 ■ ■ ■ Om G ^* , 



we define 



M{w) := M{e)*M{<Ti)M{e)* ■ ■ ■ M{cr^)M{e)* . (1) 

Finally, given w G S* we define A{w) := a.M(w)r}. Then A{w) is an element 
of ^i(Z^) such that A{w){v) gives the total weight of all accepting runs with 
accumulated cost v e Z*. 

Let X = {xi, . . . ,Xs) be a vector of variables, one for each counter. Our 
equivalence algorithm is based on a representation of A{w) as a rational function 
in X, following classical ideas [19]. Given u 6 we denote by the monomial 
x^^ ■ ■ ■ xl' . (Note that we allow negative powers in monomials.) We say that 
/ € ^i(Z'') has finite support if f{v) = for all but finitely many v € V . We 
identify such an / with the polynomial X^iiez^ fi'^)^^- We furthermore say that 
/ G ^1(2") is rational if there exist g,h : ^ Q with finite support such that 
f * h — g. We then identify / with the rational function 

Note that we can clear all negative exponents from the numerator and denomina- 
tor of such an expression. Note also that sums and products of rational functions 
correspond to sums and products in £i{Z^) in the above representation. 

Proposition 4. M{w) can be represented as a matrix of rational functions in x 
such that the numerator and denominator in each matrix entry have degrees at 
most 2n{s + 1) ■ \w\. 

Proof. From equation (1) it suffices to show that M{s)* can be represented 
as a matrix of rational functions with appropriate degree boimds. Recall that 
M{e)* = {I — M(e))~^, so it suffices to show that / — M{e) (considered as a 
matrix of polynomials) has an inverse that can be represented as a matrix of 
rational functions. But the determinant formula yields that det(/ — M{e)) is 
a (non-zero) polynomial in x, thus the cofactor formula for inverting matrices 
yields a representation of (/ — M(e))~^ as a matrix of rational functions in x of 
degree at most 2ns. □ 

An automaton A is said to be zero if A{w) = for all w G S* . Two automata 
B, C over the same alphabet S with the same number of counters are said to 
be equivalent if B{iu) = C{iu) for all w; e -E'*. As in Section 3, the equivalence 
problem can be reduced to the zeroness problem, so we focus on the latter. 

The following proposition states that if there is a word witnessing that A is 
non-zero, then there is a "short" such word. 

Proposition 5. A is zero if and only if A{w) = for all w G E* of length at 
most n — 1. 

The proof, given in full in Appendix A, is similar to the linear algebra argu- 
ments from [23, 27], but involves an additional twist. The key idea is to substi- 
tute concrete values for the variables x, thereby transforming from the setting 



of infinite-dimensional vector spaces of rational functions in a; to a finite dimen- 
sional setting where the arguments of [23, 27] apply. 

The decidability of zeroness (and hence equivalence) for weighted cost au- 
tomata follows immediately from Proposition 5. However, using polynomial iden- 
tity testing, we arrive at the following theorem. 

Theorem 6. The equivalence problem for weighted cost automata is decidable 
in randomised polynomial time. 

Proof. We have already observed that the equivalence problem can be reduced 
to the zeroness problem. We now reduce the zeroness problem to polynomial 
identity testing. 

Given an automaton A = (n, s, S, M, a, t/), for each word w € S* oi length 
at most n we have a rational expression A{w) in variables x = {xi, . . . , Xg) which 
has degree at most d := 2n{s + 1) • n by Proposition 4. 

Now consider the set R := {1,2, . . . ,2d}. Suppose that we pick r G 
uniformly at random. Denote by A{w){r) the result of substituting r for x in 
the rational expression A{w). Clearly if ^ is a zero automaton then A{w){r) = 
for all r. On the other hand, if A is non-zero then by Proposition 5 there exists 
a word w e E* length at most n such that A{w) ^ 0. Since the degree of 
the rational expression A{w) is at most d it follows from the Schwartz- Zippel 
theorem [9,24,29] that the probability that A{w){r) = is at most 1/2. 

Thus our randomised procedure is to pick r G R^ uniformly at random and 
to check whether A{w){r) = for some w G E* . It remains to show how we 
can do this chock in polynomial time. To achieve this we show that there is 
a Q- weighted automaton B with no counters such that A{w){r) = B{w) for all 
w G E*, since we can then check B for zeroness using, e.g., Tzeng's algorithm [27]. 
The automaton B has the form B = {n^'^\ S, M^'^\ a^'^\ 'n'"'^^)y where n'^'^^ = n, 
= ct, r?^^) = r? and M^'^\a) = Y^^^^^s M(a)(t;)r^ for ah gGE. □ 

Corollary 7. For each fixed number of counters the equivalence problem for 
weighted cost automata is decidable in deterministic polynomial time. 

See Appendix A for a proof. 

Example 8. We consider probabilistic programs that randomly increase and de- 
crease a single counter (initialised with 0) so that upon termination the counter 
has a random value X G Z. The programs should be such that X is a random 
variable with X = Y — Z where Y and Z arc independent random variables with 
a geometric distribution with parameters p = 1/2 and p = 1/3, respectively. (By 
that we mean that Pr(y = fc) = (1 — p)''p for k G {0,1, . . .}, and similarly for 
Z.) Figure 1 shows code in the syntax of the apex tool. 

The program on the left consecutively runs two while loops: it first incre- 
ments the counter according to a geometric distribution with parameter 1/2 and 
then decrements the counter according to a geometric distribution with parame- 
ter 1/3, so that the final counter value is distributed as desired. The program on 
the right is more efficient in that it runs only one of two while loops, depending 



inc : com , dec : com I - 



vary.2 flip; 
flip := 0; 

while (flip = 0) do { 



inc : com , dec : com I - 

var/'.2 flip; 

flip := coin [0:1/2,1: 1/2] ; 
if (flip = 0) then { 



flip := coin [0:1/2,1: 1/2] ; 



while (flip = 0) do { 

flip := coin[0: 1/2,1: 1/2] ; 
if (flip = 0) then { 

inc; 
}; 



if (flip = 0) then { 



inc; 

>; 

>; 

flip := 0; 

while (flip = 0) do -[ 



y else { 



}; 



flip := coin [0:2/3,1: 1/3] ; 



flip := 0; 



if (flip = 0) then { 



while (flip = 0) do { 
dec; 

flip := coin [0:2/3,1: 1/3] ; 

>; 



dec; 
>; 

} 



:com 



} 



:com 



Fig. 1. Two APEX programs for producing a counter that is distributed as the difference 
between two geometrically distributed random variables. 

on a single coin flip at the beginning. It may not be obvious though that the final 
counter value follows the same distribution as in the left program. We used the 
APEX tool to translate the programs to the probabilistic cost automata B and C 
shown in Figure 2. Since the input alphabets are empty, it suffices to consider 
the input word e when comparing B and C for equivalence. If we construct the 
difference automaton A = (5, 1, 0, M, a, 77) and invert the matrix of polynomials 
/ — M{e), we obtain 



which proves equivalence of B and C. Notice that the actual algorithm would 
not compute ^(e) {x) as a polynomial, but it would compute A{e) (r) only for a 



Example 9. RSA [21] is a widely-used cryptographic algorithm. Popular imple- 
mentations of the RSA algorithm have been shown to be vulnerable to timing 
attacks that reveal private keys [13, 5]. The preferred countermeasures are blind- 
ing techniques that randomise certain aspects of the computation, which are 
described in, e.g., [13]. Wc model the timing behaviour of the RSA algorithm 
using probabilistic cost automata, where costs encode time. These automata are 
produced by apex, and are then used to check for timing leaks with and without 
blinding. 

At the heart of RSA decryption is a modular exponentiation, which computes 
the value m** mod N where me {0, . . . , A'' — 1} is the encrypted message, d gN 




few concrete values r e Q. 



□ 



I : dec 

(B) (C) 

Fig. 2. Automata produced from the code in Figure 1. Tlie states are labelled with 
their number and their "acceptance probability" (77- weight). In both automata, state 1 
is the only initial state (ai = 1 and a; = for i ^ 1). The transitions are labelled 
with the input symbol e, with a probability (weight) and a counter action (i.e. cost). 



is the private decryption exponent and A'' € N is a modulus. An attacker wants 
to find out d. Wc model RSA decryption in apex by implementing modular 
exponentiation by iterative squaring (see Figure 3). We consider the situation 
where the attacker is able to control the message m, and tries to derive d by 
observing the runtime distribution over different messages m. Following [13] 
we assume that the running time of multiplication depends on the operand 
values (because a source-level multiplication typically corresponds to a cascade 
of processor- level multiplications). By choosing the 'right' input message m, an 
attacker can observe which private keys are most likely. 

We consider two blinding techniques mentioned in Kocher [13]. The first one 
is base blinding, i.e., the message is multiplied by r"^ before exponentiation where 
d is a random number, which gives a result that can be fixed by dividing by r 
but makes it impossible for the attacker to control the basis of the exponentia- 
tion. The second one is exponent blinding, which adds a multiple of the group 
order (p{N) of Z/A^Z to the exponent, which doesn't change the result of the 
exponentiation^ but changes the timing behaviour. 

Figure 4 shows the automaton for = 10, and private key 0,1,0,1 with 
message blinding enabled. The apex program is given in Figure 3. 

We investigate the effectiveness of blinding. Two private keys are indistin- 
guishable if the resulting automata are equivalent. The more keys are indistin- 
guishable the safer the algorithm. We analyse which private keys are identified 
by plain RSA, RSA with a blinded message and RSA with blinded exponent. 

For example, in plain RSA, the following keys 0, 1, 0, 1 and 1, 0, 0, 1 are indis- 
tinguishable, keys 0, 1, 1, and 0, 0, 1, 1 are indistinguishable with base blinding, 
lastly 1, 0, 0, 1 and 1, 0, 1, 1 are equivalent only with exponent blinding. Overall 

^ Euler's totient function if satisfies a'''^'^^ = 1 mod N for all a e Z. 



9 different keys are distinguishable with plain RSA, 7 classes with base blinding 
and 4 classes with exponent blinding. 

const N := 10; // modulus 

const Bits := 4 ; // number of bits of the key 

m :int°/.N, inc:com |- 

var7.2 exponent [Bits] = [0,1,0,1]; 

com power (x:intZN) { 

var"/.N s : = 1 ; 

varXN R; 

for(var"/.(Bits + 1) k; k < Bits; ++k) do { 
R:=s; 

if (exponent [k] ) then { 
R := R*x; 

if (5<=R) then { inc; inc } else { inc } 

} 

s := R*R; 

} 

} 

var7.N message : = m*rand [N] ; // blinding 
power (message) : com 

Fig. 3. APEX code for RSA. 



5 Pushdown Automata and Arithmetic Circuits 

In a visibly pushdown automaton [3] the stack operations are determined by 
the input word. Consequently VPA have a more tractable language theory than 
ordinary pushdown automata. The main result of this section shows that the 
equivalence problem for weighted VPA is logspace equivalent to the problem 
ACIT of determining whether a polynomial represented by an arithmetic circuit 
is identically zero. 

A visibly pushdown alphabet S = i7c U 17^ U Sint consists of a finite set of 
calls Sc, a finite set of returns Sr, and a finite set of internal actions Smt- 
A visibly pushdown automaton over alphabet S is restricted so that it pushes 
onto the stack when it reads a call, pops the stack when it reads a return, and 
leaves the stack untouched when reading internal actions. Due to this restriction 
visibly pushdown automata only accept words in which calls and returns are 
appropriately matched. Define the set of well-matched words to be [j^^^Li, 
where Lq = Eint + {e} and Lj+i = ScLi^r + LiLi. 

A Q-weighted visibly pushdown automaton on alphabet 17 is a tuple A = 
{n,cx,r],r,M), where n is the number of states, at is an n-dimensional initial 
(row) vector, rf is an n-dimensional final (column) vector, F is a. finite stack 



Fig. 4. Modeling RSA decryption with APEX. 



alphabet, and M = (Mc, Mr, Mint) is a tuple of matrix-valued transition functions 
with types Mc: ScxT ^ Q"^", : x T ^ Q"^" and M,,^ : r„t -> Q"^". 
If a € I7c and 7 G T then Mc{a, gives the weight of an a-labelled transition 
from state i to state j that pushes 7 on the stack. If a g 17^ and 7 e .T then 
Mr{a,'-f)ij gives the weight of an a-labelled transition from state i to j that 
pops 7 from the stack. 

For each well-matched word u G S* we define an n x n rational ma- 
trix M('^)(u) whose j)-th entry denotes the total weight of all paths from 
state i to state j along input u. The definition of M(-^)(it) follows the induc- 
tive definition of well-matched words. The base cases are M^-^\e) = I and 
M^-^\a)ij = Mint{a)ij. The inductive cases are 

M'^^\uv) = M(-^)(u) ■ M'^^\v) 
M^'^\aub) = Mc{a,-f) ■ M^'^\u) ■ M^(6,7) , 

for a e Sc, b £ Sr. 

The weight assigned by .4. to a well-matched word w is defined to be A{w) := 
a We say that two weighted VPA A and B are equivalent if for each 

well- matched word w we have A{'w) = B{w). 

An arithmetic circuit is a finite directed acyclic multigraph whose vertices, 
called gates, have indegree or 2. Vertices of indegree are called input gates 
and are labelled with a constant or 1, or a variable from the set {xi : i gN}. 
Vertices of indegree 2 are called internal gates and are labelled with one of the 
arithmetic operations -|-, * or We assume that there is a unique gate with 
outdegree called the output. Note that C is a multigraph, so there can be two 
edges between a pair of gates, i.e., both inputs to a given gate can lead from the 
same source. We call a circuit variable- free if all inputs gates are labelled or 1. 

The Arithmetic Circuit Identity Testing (ACIT) problem asks whether the 
output of a given circuit is equal to the zero polynomial. ACIT is known to 
be in coRP but it remains open whether there is a polynomial or even sub- 
exponential algorithm for this problem [1]. Utilising the fact that a variable- 
free arithmetic circuit of size 0{n) can compute 2^ , AUender et al. [1] give a 



logspace reduction of the general ACIT problem to the special case of variable- 
free circuits. Henceforth we assume without loss of generality that all circuits 
are variable-free. Furthermore we recall that ACIT can be reformulated as the 
problem of deciding whether two variable-free circuits using only the arithmetic 
operations + and * compute the same number [1]. 

The proof of the following proposition is given in Appendix B. 

Proposition 10. ACIT is logspace reducible to the equivalence problem for 
weighted visibly pushdown automata. 

In the remainder of this section we give a converse reduction: from equivalence 
of weighted VPA to ACIT. The following result gives a decision procedure for 
the equivalence of two weighted VPA A and B. 

Proposition 11. A is equivalent to B if and only if A{w) = B{w) for all words 
w e Ln2, where n is the sum of the number of states of A and the number of 

states of B. 

Proof. Recall that for each balanced word u G S* we have rational matrices 
M('^^(m) and M^^\u) giving the respective state-to-state transition weights of 
A and B on reading u. These two families of matrices can be combined into a 
single family 

^ = { (^^ J^"'' M(^\u)) • " ^ell-matchedj 

of n X n matrices. Let us also write Mi for the subset of generated by those 
well-matched words u € Li. 

Let a^-^\ri^-^'> and oS^\ri'^^^ be the respective initial and final-state vectors 
of A and B. Then A is equivalent to B if and only if 

(aM)aW)M(_^^(3))=0 (2) 

for all M e A^. It follows that A is equivalent to B if and only if (2) holds for 

all M in span(7V4), where the span is taken in the rational vector space of n x n 
rational matrices. But span(7V4i) is an ascending sequence of vector spaces: 

Span(7Wo) ^ Span(A^i) C Span(>l2) C . . . 

It follows from a dimension argument that this sequence stops in at most 
steps and we conclude that span(AI) = span(A1„2). □ 

Proposition 12. Given a weighted visibly pushdown automaton A and n G N 
one can compute in logarithmic space a circuit that represents X^iogl 2 -^(''^)- 

Proof. From the definition of the language Lj and the family of matrices M^-^^ 
we have: 

+ (e^^-"H-)) (e^^^H-)) • 

\ueLi / \ueLi J 



The above equation implies that we can compute in logarithmic space a circuit 
that represents X^iijei M'^'^^w). The result of the proposition immediately fol- 
lows by premultiplying by the initial state vector and postmultiplying by the 
final state vector. □ 

A key property of weighted VPA is their closure under product. 

Proposition 13. Given weighted VPA A and B on the same alphabet S one can 
define a synchronous-product automaton, denoted Ax B, such that {AxB){w) = 
A{w)B{w) for all we E* . 

The proof of Proposition 13, given in Appendix B, exploits the fact that the 
stack height is determined by the input word, so the respective stacks of A and 
B operating in parallel can be simulated in a single stack. 

Proposition 14. The equivalence problem for weighted visibly pushdown au- 
tomata is logspace reducible to ACIT. 

Proof. Let A and B be weighted visibly pushdown automata with a total of n 
states between them. Then 

= ^ (yt X A){w) + {Bx B){w) - 2{A x B){w) 

Thus A is equivalent to B iff E^6l„('4 x + (S x B){w) = 2 Y^wehS^ ^ '^)( 

But Propositions 12 and 13 allow us to translate the above equation into an 
instance of ACIT. □ 

The trick of considering sums-of-squares of acceptance weights in the above 
proof is inspired by [28, Lemma 1]. 
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A Proofs of Section 4 



Proposition 5. A is zero if and only if A{w) = for all w £ S* of length at 
most n — 1. 

Proof. Suppose that A is non-zero. Then there exists some word w G S* such 
that aM(w)r] is a non-zero rational expression in x. Thus we can pick r G Q** 
such that cxM{w){r)r] ^ 0. Now define 

:= Span{aM(w)(r) e Q" : |m| < i) . 

Then Vb ^ ^ V2 C . . . is an increasing family of subspaces of Q". Consid- 
ering the dimension of each Vi there exists io < n with Vi^ = l^o+i- But for all 
i we have 

Vi+i = Span{Vi U {(-uM(a)M(£)*)(r) :aeE,vG V,}) 

From this characterisation it is clear that Vio+i = Vi^ entails that Vi = Vi^ for 
all i > io- 

From the assumption that A{w) ^ as a rational function there exists r G 
such that A{'w){r) ^ 0. By the above we have that a.M{w){r) € and thus 
77 is not orthogonal to Vi^. In particular, there exists some word u of length at 
most iQ <n—l such that aM{u){r)r] ^ 0. But then A{u) ^0. □ 

Corollary 7. For each fixed number of counters the equivalence problem for 
weighted cost automata is decidable in deterministic polynomial time. 

Proof. Consider a counter automaton A to be checked for zeroness. If the number 
s of counters is fixed, then the set of sample points W in the proof of Theorem 6 
has polynomial size. Thus we can in polynomial time test whether A{w){r) = 
for all w € S* and r € ii*. If ^ is non-zero then the proof of Theorem 6 
guarantees the existence oi w G S* and r G such that A{w){r) 7^ 0. □ 

B Proofs of Section 5 



Proposition 10. ACIT is logspace reducible to the equivalence problem for 
weighted visibly pushdown automata. 

Proof. Let C and C be two circuits over basis {-|-, *}. Without loss of generality 
we assume that in each circuit the inputs of a dcpth-i gate both have depth i + 1, 
-t— nodes have even depth, *-nodes have odd depth, and input nodes all have the 
same depth d. Notice that in either circuit any path from an input gate to an 
output gate has length d. 

We define two automata A and A' that are equivalent if and only if C and 
C have the same output. Both automata are defined over the alphabet {c, r, l}, 



with c a call, r a return and l an internal event. We explain how A arises from 
C; the definition of A' is entirely analogous. 

Suppose that C has set of gates {go, gi,. . . , with go the output gate. For 
each gate g^ of C we include a state Si of A and a stack symbol 7,. The initial 
state of ^ is so, and all states are accepting. The transitions of A are defined as 
follows: 

— For each +-gatc gi := gj + gk in C we include an internal transition from Sj 
that goes to sj with probability 1/2 and to Sk with probability 1/2. 

— For each *-gate g^ := gj * gk we include a probability- 1 call transition from 
Si to Sj that pushes 7fe onto the stack. 

— An input gate g^ with label contributes no transitions. 

— For each input gate with label 1 and each stack symbol jj, we include a 
return transition from Sj that pops •yj off the stack and ends in state sj with 
probability 1. 

Recall that acceptance is by empty stack and final state. By construction A 
only accepts a single word, as we now explain. Define a sequence of words w„ G 
{c, r, (,}* by Wo = t, Wn+i = i^'u^n for n even, and = cWnrWn for n odd. 

Furthermore, write Mg = 1, Mn+i = 2M„ for n even, and M„_|_i = for n 
odd. Then .A accepts Wd with probability N/M^, where d is the depth of the 
circuit C and N is output of C. All other words are accepted with probability 
0. We conclude that C and C have the same value if and only if A and A' are 
equivalent. 

Proposition 13. Given weighted VPA A and B on the same alphabet S 
one can define a synchronous-product automaton, denoted A x B, such that 
(A X B){w) = A{w)B{w) for all w e S* . 

Proof Let A = {n^^\lJ ,r^^\M^^\cx^^\'n^^^) and B 
(n(^),i:,r(-^),M(^),a(^\T7(^)). We define a product automaton C. Note 
that since the stack height is determined by the input word we can simulate 
the respective stacks of A and B using a single stack in C whose alphabet is the 
product of the respective stack alphabets of A and B. 

The number of states of C is n'^'^^ ■ n'^^\ The initial vector a'^^^ has {i.j)- 
th component oli^^ ■ ol'^\ The final vector defined likewise. The stack 

alphabet of C is F^^^ x r(^). Given a e U we define the ((i, j), {k,l))- 
th component of the transition matrix M'^''^(a, (7, 7')) to be the product of 
M(-^) (a, 7) and M(^) (o, 7'). □ 



